Threat of the Week: DDoS Becoming an Expensive Fact of Life

The ceasefire is over. Last week, on Feb. 25, the Cyber Fighters of Izz ad-Din al-Qassam renewed their Distributed Denial of Service attacks against U.S. financial institutions. That included again taking down the websites of two credit unions: the $1.5 billion University FCU in Austin, Texas, and Patelco, the $3.8 billion Pleasanton, Calif., institution.

They issued the same demand – removal of an anti-Islam video from YouTube – and said their campaign against financial institutions would continue.

What is new is that the conversation about how to respond to the industrial-grade DDoS unleashed by the Cyber Fighters is beginning to shift. Another change: there’s new talk of an affordable credit union specific solution.

As for the appropriate response, at least some experts suggest that perhaps not responding at all is suitable. Said a senior IT executive at a billion-dollar institution who asked to be anonymous because he is not authorized to speak for his credit union: “It’s all about risk assessment.

“If your services are hosted on-premise and the service needs to be available then DDoS mitigation will be a new cost of doing business. For smaller orgs who outsource, they need to contractually compel their vendor to have mitigation in place and ensure the mitigation is adequate to address attacks. The occasional outage from DDoS is something, I believe, hard to get around.”

Read that last sentence again: he is saying that living with outages may be a necessity as the Cyber Fighters – presumed to be nation state sponsored – unleash ever more sophisticated and powerful attacks.

An analogous question might be: Could you secure your credit union against penetration by a Navy Seal team? Possibly, but at what expense? At what inconvenience? And why: what’s the probability the Seals would target your institution?

Similar thoughts percolate when guarding against the Cyber Fighters who, thus far, are not themselves linked with attempted fraud or with attempts to infiltrate member account data. All they seem to want to do is shut down financial institutions for several hours and, suggested that IT executive, maybe that’s an acceptable inconvenience.

They also are not known to have dipped below a $1 billion threshold, which would leave 90+ percent of credit unions safe for now.

The NCUA has of course issued its risk alert regarding DDoS and it mandates certain actions by credit unions – but on most readings it would permit credit unions to not have the ability to stand up to heavy-duty DDoS.

Pretty much everybody believes there needs to be internal resources – at just about every credit union – for defending against garden variety DDoS, the kinds unleashed by angry ex-employees, criminals looking to create a distraction, and the maladapted. The difference: These attacks generally revolve around low-power botnets of zombie PCs and they do not pack that big a punch.

But the punch they do pack nonetheless is plenty to knock out many credit unions. Here is the issue: the typical credit union has around 100 megabytes of available bandwidth and garden-variety DDoS now routinely generates one to two gigabytes of traffic. Industrial-grade DDoS has been said to hit 50 gigabytes of traffic.

Do the math: it’s easy to see how credit unions get knocked offline by DDoS because the traffic volume is overwhelming.

The ability to defend against routine DDoS may well have become a business necessity, suggested Kirk Drake, CEO of technology CUSO Ongoing Operations in Hagerstown, Md., in an interview.

The problem: many credit unions can’t come up with the minimum $10,000 per month needed to mount a credible mitigation effort, said Drake.

A two-pronged response usually is required. The first piece is bringing on board, at least temporarily, huge amounts of bandwidth to handle the high volume of traffic. The other prong is having the tools to sort traffic into good and bad and to route the bad traffic into a harmless detour.

Assembling both the tools is not cheap and that has been a hurdle for many credit unions. So Drake’s CUSO is knee deep in exploring the how-to of offering a CUSO-generated mitigation tool set that, believes Drake, he can price at $2,000 per month or lower.

“There is huge demand for a DDoS solution that doesn’t cost so much it puts the credit union out of business,” said Drake.

Drake is so ambitious that he believes, just maybe, this Ongoing Operations mitigation tool set might even have the muscle to ward off nation-state level DDoS attacks.

He said Ongoing Solutions is not talking about vaporware, that in fact this week will see implementation of the tools at several Ongoing Solutions board members – Drake did not name names – and, he added, “We want to make sure we have this right before we roll it out more broadly but we expect to go live with an offering in a month or two.”

The good news: Downward pressure on DDoS mitigation pricing will likely accelerate as vendors hunt for clever ways to assemble spare bandwidth pipe for temporary use and they also seek to aggregate users who might share various mitigation tools rather than in effect own them outright.

This just might allow credit unions to buy the protections they do need.